[Bug 1817327] Re: [Mir] python-libnacl

Thu, 21 Mar 2019 00:12:06 -0700 

python-libnacl is a thin python wrapper over the libsodium C library,
using ctypes to interact with libsodium.  I reviewed python-libnacl
1.4.5-0ubuntu1 from xenial. This shouldn't be considered a full security
audit but rather a quick check of maintainability. Furthermore this is
not an audit of the fitness for purpose of the cryptography in
libsodium.

- No CVE history in our database
- Depends:
  - debhelper, dh-python, libsodium-dev, pkg-config, python, python-all,
    python-nose, python-setuptools, python3, python3-all, python3-nose,
    python3-setuptools
  - Nothing out of the ordinary for a python package, in particular uses
    libsodium for all the heavy lifting
- Does not itself do networking
- Does not daemonize
- No pre/post inst/rm
- No init scripts
- No dbus services
- No setuid files
- No binaries in the PATH
- No sudo fragments
- No udev rules
- A test suite is run during the build
- No cron jobs
- Clean build logs


- No subprocesses spawned
- Uses file IO for storing keys, umask is appropriately set to ensure
  0400 permissions on resulting files
 - Files are parsed as either json or msgpack (no dependency on
   python-msgpack so could this be abused at runtime to crash
   python-libnacl by trying to get it to use a msgpack file where it
   will fail on import msgpack?)
- No logging
- No environment variable use
- No privileged functions
- No networking
- No privileged portions of code
- No temp files
- No WebKit
- No PolKit

Only outstanding issue issue is whether this is missing a depend on
python-msgpack. Once this is resolved or rationalized, Security team ACK
for promoting python-libnacl in Xenial (and Trusty for the same version)
to main.

** Changed in: python-libnacl (Ubuntu Trusty)
       Status: New => In Progress

** Changed in: python-libnacl (Ubuntu Xenial)
       Status: New => In Progress

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1817327

Title:
  [Mir] python-libnacl

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/python-libnacl/+bug/1817327/+subscriptions

-- 
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to